Canadian group: Facebook “a minefield of privacy invasion”

The Canadian Internet Policy and Public Interest Clinic has filed a complaint …

Facebook is the focus of a new complaint in Canada over its privacy policies and practices. The Canadian Internet Policy and Public Interest Clinic (CIPPIC) filed the complaint this morning, asking the Privacy Commissioner of Canada to review what the CIPPIC believes are various violations of Canadian privacy law. There are 22 violations in all, says CIPPIC, making Facebook "a minefield of privacy invasion."

Facebook's policies and practices were analyzed by a "team of law students" over the winter, resulting in their discovery of what they believe to be numerous violations of the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). Some of the issues raised in the complaint are a little benign: for example, CIPPIC takes issue with the fact that all of a user's friends can see Wall posts (comments) left by other friends, and that it's not easy to simply delete all Wall posts with a single click. Other issues, however, are more serious, like a user's inability to easily delete his or her account and all the data associated with it. (Instead, users can choose to suspend their accounts, leaving their data dormant with Facebook—for potential reactivation—for an unspecified amount of time.)

CIPPIC points out a number of other violations that have raised the eyebrows of users for some time now. Facebook fails to disclose why every third-party Facebook application must have access to every bit of a user's personal data (this is something that annoys me, personally), and requires the submission of a user's date of birth upon registration even though there are no age guidelines for using the service. Facebook also fails to obtain express consent to share users' personal information by making all information partially public by default (users can change privacy settings after saving the information first). The same goes for photographs uploaded by the user, or photos uploaded and tagged by others that then show up on the user's profile by default—whether they like it or not.

Of course, no privacy complaint about Facebook would be complete without a mention of Beacon and Facebook's advertising practices. Beacon is a system that allows partner sites—like Yelp, Blockbuster, Fandango, and 40-some others—to communicate users' off-Facebook activities to Facebook. When it was launched late last year, Beacon caused a public outcry almost immediately, because it published people's online purchases directly to their news feeds with little-to-no way to get out of it. Facebook eventually reevaluated Beacon and changed a number of privacy settings so that off-Facebook activities wouldn't be published publicly by default. The site still transfers user data from non-Facebook sites (with absolutely no way for users to opt out of that behavior), which has resulted in at least one lawsuit so far. CIPPIC's issues with Beacon are the same as all the others—Facebook fails to give users an easy way to opt out of all Beacon activities, and fails to notify users that their personal information is being used for advertising purposes.

Those are just a few of the numerous points brought up by CIPPIC, but you get the idea. At every turn, Facebook seems to do not quite enough to satisfy the concerns of privacy advocates—not to mention that Facebook's activities tend to worry those who don't want their data exploited for commercial purposes. "We're concerned that Facebook is deceiving its users," said one of the law students behind the complaint, Lisa Feinberg. "Facebook promotes itself as a social utility, but it's also involved in commercial activities like targeted advertising. Facebook users need to know that when they're signing up to Facebook, they're signing up to share their information with advertisers."

Further reading:

Jacqui Cheng
Jacqui is an Editor at Large at Ars Technica, where she has spent the last eight years writing about Apple culture, gadgets, social networking, privacy, and more. Emailjacqui@arstechnica.com//Twitter@eJacqui